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Abstract- Recently, Radio frequency identification (RFID) has 
been an important and ubiquitous infrastructure technology for 
smart work system. As RFID tags are affixed to all items, they 
may be used to support various useful services. Security 
mechanisms for RFID systems, such as authentication and 
encryption, are therefore of utmost importance. However, there 
are many risks involved, for example user privacy violations and 
service interference. Therefore, security service is required to 
block these risk elements, and user authentication is an essential 
component for secure RFID system such as smart work system. 
In this paper, an authentication protocol for secure 
communications is proposed for secure RFID network 
environments and also for verified safety using GNY logic. 

Keywords- RFID (Radio Frequency Identification); Formal 
Methods; Modal Logic; Security Protocol 



I. INTRODUCTION 

In the RFID security domain, various issues are related to 
data protection of tags, message interception over the air 
channel, and eavesdropping within the interrogation zone of 
the RFID reader [1, 2]. This topic has been so far been 
dominated by the topics of data protection associated with 
data privacy and authentication between tag and reader for 
smart work system. In this paper, when using RFID, two 
aspects on the risks imposed on the passive party are 
discussed. 

Firstly, the data privacy problem is such that storing 
person-specific data in a RFID system can threaten the privacy 
of the passive party. This party may be, for example, a 
customer or an employee of the operator. The passive party 
uses tags or items that have been identified as tags, but the 
party has no control over the data stored on the tags. 

Secondly, authentication is carried out when the identity of 
a person or program is verified. Then, on this basis, 
authorization takes place, i.e. rights, such as the right of access 
to data. In the case of RFID systems, it is particularly 
important for tags to be authenticated by the reader and vice- 
versa. In addition, readers must also authenticate themselves 
to the backend, but in this case, there are no RFID-specific 
security problems. 

To satisfy the above requirements, security protocols play 
an essential role. As with any protocol, the security protocol 
comprises a prescribed sequence of interactions between 
entities, and is designed to achieve a certain end. A diplomatic 
protocol typically involves a memorandum of understanding 
exchange, intended to establish agreement between parties 
with potentially conflicting interests. Security protocols are, in 
fact, excellent candidates for rigorous analysis techniques: 
they are critical components of distributed security 
architecture, very easy to express, however, extremely 



difficult to evaluate by hand. They are deceptively simple: 
literature is full of protocols that appear to be secure but have 
subsequently been found to fall prey to a subtle attack, 
sometimes years later. Cryptographic primitives are used as 
building blocks to achieve security goals such as 
confidentiality and integrity authentication. 

Formal methods play a very critical role in examining 
whether a security protocol is ambiguous, incorrect, 
inconsistent or incomplete. Hence, the importance of applying 
formal methods, particularly for safety critical systems, cannot 
be overemphasized. There are two main approaches in formal 
methods, logic based methodology [3, 4], and tool based 
methodology [5, 6]. In this paper, the [1] hash-based RFID 
authentication protocols which employs hash functions to 
secure RFID communication are specified and verified 
whether this protocol satisfies security properties such as 
secrecy and authentication using GNY logic (Gong L., 
Needham R., and Yahalom R.) [15] as the Modal logic [3] 
methodology. After verifying the protocols as GNY logic, the 
existence of known security flaws in the protocols is 
confirmed, and the problems of the hash based technique are 
described. The contribution of this paper is designing and 
verifying the secure authentication protocol, which is widely 
researched in RFID systems using formal methods. This paper 
is organized as follows. In brief, Section II describes related 
work on RFID security and authentication schemes associated 
with hash functions. In Section III, the use of modal logic 
(GNY) is outlined for analyzing security protocols. Section IV 
describes the analyzed result of the protocol. Section V 
presents the proposed security scheme. Section VI addresses 
conclusions and future work. 

II. RELATED WORK 

There has been much literature attempting to address the 
security concerns raised by the use of RFID tags. 

A. The Hash Lock Scheme 

A reader defines a "Lock" value by computing lock = hash 
(key) [7], where the key is a random value. This lock value is 
sent to a tag and the tag stores this value in its reserved 
memory (i.e. a metalD value), the tag then enters into a locked 
state automatically. To unlock the tag, the reader transmits the 
original key value to the tag, and the tag performs a hash 
function on that key to obtain the metalD value. The tag then 
has to compare the metalD with its current metalD value. If 
both values match, the tag is unlocked. Once the tag is in an 
unlocked state, it can transmit its identification number, such 
as the Electronic Product Code (EPC) [2] to readers' queries in 
the forthcoming cycles. This approach is simple and 
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straightforward in achieving data protection, i.e. the EPC code 
stored in the tag is being protected. An authorized reader is 
able to unlock and read the tag, then lock the tag again after 
reading the code. This scheme is analyzed in Section IV in 
detail. 

B. The Randomized Hash Lock Scheme 

This is an extension of hash lock [7] based on pseudo 
random functions (PRFs). An additional pseudo-random 
number generator is required to be embedded into tags for this 
approach. Presently, tags respond to reader queries using a 
pair of values (r, hash(IDA: || r)), where r is the random number 
generated by a tag, IDA: is the ID of the £-th tag among a 
number of tags in ID1, ID2, . . ., IDA:, . . ., IDn. For reader 
queries, the tag returns two values. The first is the random 
number. The second is a computed hash value based on 
concatenation (||) of its IDA: and r. When the reader obtains 
these two values, it retrieves the current N number of ID (i.e. 
ID1, ID2, . . ., IDm) from the backend database. The reader 
will perform the above hash function on each ID from 1 to n, 
with r, until it finds a match. When the reader finds a match, 
the reader is able to identify the tag k is on its tag's ID list (i.e. 
tag authentication). The reader will then transmit the IDA: 
value to the tag for unlocking. Once the tag is in an unlocked 
state, the reader can obtain its EPC code in the subsequent 
reading cycle. 

In addition to achieving RFID tag security, this scheme 
also provides location privacy. In the hash lock scheme, tags 
still disclose metalD values. However, this approach only 
discloses r and the hashed value. 

C. The Chained Hash Scheme 

Ohkubo et al.[8][9] suggested the chained hash procedure 
as a cryptographically robust alternative. In every activation, 
the tag calculates a new metalD, using two different hash 
functions. First, the current metalD is hashed in order to 
generate a new metalD, which is then hashed again with the 
aid of the second function. It is this second metalD that is 
transmitted to the reader. For the purpose of decoding, the 
reader must hash until a match with the metalD transmitted 
from the tag has been found. The advantage of this procedure 
is that it is not sensitive to repeated attempts to eavesdrop the 
metalD during transmission via air waves. 

D. Other Approaches 

Another hash-based approach is Hash based Varying 
Identifier proposed by Henrici and Miiller [10]. Their scheme 
also adopts a hash function and a random number generator 
(RNG), but a pseudo random number is generated by a back- 
end server and transmitted to the tag every interrogation, to 
make the tag's queried identifier random and preserve location 
privacy. 

Hwang et al. [11] proposed an improved authentication 
protocol of Hash based Varying Identifier. In their scheme, 
the main difference is that a reader has a random number 
generator to protect against a man-in-the-middle attack. 



III. FORMAL METHODS FOR SECURITY PROTOCOLS 

Modal Logic: GNY (Gong L., Needham R., 



protocol flaws. Discussion of the virtues and limitations of the 
logic can be found in [12]. 

In GNY logic, message extensions are added to the 
protocol description during protocol formalization, so that 
principals can communicate their beliefs and thus reason about 
each other's beliefs. The use of message extensions enables 
the logic to deal with different levels of trust among protocol 
principals. As such, it is considered an improvement over 
BAN logic, which assumes that all principals are honest and 
competent. This development is noteworthy as many protocol 
attacks are performed by dishonest principals. As an example 
of a message extension, consider the following: P — > Q: {K; 
P}Ks- is formally stated as Q Z *{*K, P}Ks- ~> S |= P £>Q. 
This means that principal Q is informed of a session key, K, 
and an identity, P, encrypted under the private key of principal 
S. The session key, K, is marked with a not-originated-here 
asterisk. Q is informed that S believes K is a suitable shared 
secret for P and Q. 

The postulates of GNY logic are used to deduce whether 
protocol goals can be derived from the initial assumptions and 
protocol steps. If such a derivation exists, the protocol is 
successfully verified. 

Logic-based formal verification involves the following 

steps (Fig. 1): 

1. Formalization of the protocol messages; 

2. Specification of the initial assumptions; 

3. Specification of the protocol goals; 

4. Application of the logical postulates. 
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Yahalom R.) [15] logic is used to reason about security 
protocols. GNY logic is a direct successor to BAN [3] logic 
and is quite powerful in its ability to uncover even subtle 



Fig. 1 The process of verification with modal logic 

The first step in logic-based verification involves 
specifying the protocol in the language of the logic by 
expressing each protocol message as a logical formula. This 
step is known as protocol formalization (some authors also 
refer to it as idealization). A formal description of the protocol, 
obtained by formalization, does not simply list the 
components of each message but attempts to show the purpose 
of these components so as to avoid ambiguity. 

The second step in the verification process involves 
formally specifying the initial protocol assumptions. These 
assumptions reflect the beliefs and possessions of the involved 
principals at the beginning of each protocol run. 

In the third step, the desired protocol goals are expressed 
in the language of the logic. These goals are specified in terms 
of the beliefs and possessions of the protocol participants at 
the end of a successful protocol run. 

The final verification step concerns the application of 
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logical postulates to establish the beliefs and possessions of 
protocol principals. The objective of the logical analysis is to 
verify whether the desired goals of the protocol can be derived 
from the initial assumptions and protocol steps. If such a 
derivation exists, the protocol is successfully verified; 
otherwise, verification fails. A successfully verified protocol 
can be considered secure within the scope of the logic. On the 
other hand, even the results of failed verification are helpful, 
as these may point to missing assumptions or weaknesses in 
the protocol. If a weakness is discovered, the protocol should 
be redesigned and reverified. However, verification logic 
techniques have their limitations, not least of which is the 
likelihood of errors in protocol formalization. The number of 
opportunities to make such mistakes increases as the 
verification process becomes more complicated, requiring a 
thorough understanding of the logic used. During the 
verification process, the semantics of the protocol must be 
interpreted, in order to specify the meaning that a protocol 
message is intended to convey. This 'interpretation process' is 
somewhat controversial — different authors may interpret the 
same messages differently. If the formalized protocol does not 
properly represent the original design, then the proof 
demonstrates only that the protocol corresponding to this 
formal description is secure. However, no claims can be made 
on the security of the original design. Lack of clarity about 
protocol goals and initial assumptions is a further cause for 
concern. 

In some cases the same protocol may be used for slightly 
different purposes. For example if a protocol is used to 
generate a new session key, each principal involved in the 
protocol run may require that the other principal believes the 
session key to be a shared secret. This property is known as 
second level belief. If a protocol is verified as secure for first 
level belief only and used in an application where second level 
belief is required, serious security breaches are likely. Hence, 
it is vital to note the assumptions and goals under which a 
security protocol is considered secure during its formal 
verification. 

Despite these criticisms, different logic techniques have 
identified numerous protocol weaknesses and are considered 
as successful. Gligor et al. [13] summarize the virtues of 
authentication logic as follows: 

• They help formalize reasoning about useful abstract 
properties of cryptographic protocols. 

• They force designers to make explicit security 
assumptions. 

• They achieve a reasonably well-defined set of 
authentication goals. 



IV. THE RFID AUTHENTICATION PROTOCOL AND ITS 
VERIFICATION 

Firstly, the behavior of the hash unlocking protocols is 
modeled as hash unlocking of the hash lock scheme. The 
simple description of the hash locking is already described in 
Section II-A. The role of the reader simply writes the metalD 
as a keyed hash value in the tag. 

The general overview of the authentication protocol (Table 
I, Fig. 2) is as follows. 

TABLE I HASH LOCK SCHEME NOTATION 

T RF Tag's Identity 

R RF Reader's Identity 

DB Back-End Server's Identity that has a Database 

Xkey Session Key Generated Randomly from X 

metalD Key Generated from Reader Using Hash Function 

ID Information Value of Tag 

Xn A Random Nonce Generated by X 

H Hash Function 

E (M) Encrypted Message with Key 



Message 1 
Message 2 
Message 3 
Message 4 
Message 5 
Message 6 
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-> R 
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Fig. 2 The hash unlocking protocol overview 

ge 1 : Request by the reader. 

ge 2: The tag transmits the metalD (locked value as 
hashed key) to the reader. 

;e 3: The reader forwards the metalD to the 
Database. 

;e 4: The database transmits the original key value 
and tag ID to the reader after checking the 
match between metalD from the reader and 
metalD in the database. 

;e 5: The reader transmits original key to the tag to 
ensure tag authentication. 

;e 6: The tag transmits its information value to the 
reader. 



TABLE II NOTATION OF GNY LOGIC 



(X,Y) 

{X}K, {X}K- 
#(X) 
o(X) 

PD X 

PD*(X) 

P|~X 
P|=X 

x~>c 

ppx 



Concatenation of two formulae 

Symmetric encryption and decryption 

The formula X is fresh. X has not been sent in a message at any time before the current run of the protocol 

Formula X is recognizable 

P has a received a message containing X and P can read and repeat X, possibly after performing some decryption 

P is told formula X which he did not convey previously during the current protocol run 

P possesses or is capable of possessing formula X 

P conveyed X 

P believes X. That is, the principal P acts as if X is true 

Formula X has the extension C. The precondition for X being conveyed is represented by statement C 

P has jurisdiction over X. The principal P is an authority on X and should be trusted on this matter. This construct is used 

when a principal has delegated authority over some statement 

K is a suitable secret for P and Q. They may use it as a key to communicate or as a proof of identity 
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A. Formalization of the Protocol Step 
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Fig. 3 Formalization of the protocol step 

A formalized version of the protocol is shown in Fig. 3 
(from Table II). The asterisks denote the ability of each 
principal to recognize that it did not transmit the received 
message at an earlier stage in the protocol. 

In Ml, the reader is told the metalD (locked value as 
hashed key) from the tag and the message extension in the 
first message indicates that if a reader transmits a H(RKey) to 
lock a tag, then the tag believes that RKey contained in that 
metalD belongs to the reader. In M2, the DB is told the 
metalD from the reader and it means the metalD is forwarded 
from the reader to DB. In M3, the reader is told the original 
key value and tag ID from the database to the reader after 
checking the match between metalD from the reader and 
metalD in the database and the message extension in the third 
message indicates that if the reader receives RKey and ID 
from some principal, then the reader believes that RKey 
contained in that metalD belongs to the DB. In M4, the tag is 
told the original key from the reader and in M5, the reader is 
told the tag ID from the tag. 

B. Specification of the Initial Assumptions 

The initial assumptions for the hash unlocking protocol are 
as follows: 

T 3 metalD ; T 3 RKey ; T 3 ID; 
DB 3 RKey ; DB 3 ID ; 

R \= °(RKey); R \= <=fID); 

T\= RK S.DB; T\= "iDB; 

T\= DB \=> DB \= *; R 1= DB \^ DB 1= *; 



The first two rows state the possessions of both principals. 
Each principal possesses its information, its symmetric key 
and its identification data. The next row states the 
recognizability assumptions. Reader recognizes the symmetric 
key and other's identification data. The final two rows 
concern beliefs regarding the database server. Tag believes 
that RKey is the symmetric key between DB and Reader; ID is 
a secret value for DB and Tag, that DB is honest and 
competent, and that DB has jurisdiction over the other 
principal's symmetric key. 

C. Specification of the Protocol Goal 

The goals of the hash unlocking protocol are as follows: 



R \= #H(RKey); T = #H(RKey); 
T\= R\~ RKey; R\= T ' |~ ID; 
R3ID 

The goals in the first row state that both principals believe 
it to be fresh. The next row concerns authentication: each 
principal should believe that its counterpart conveyed the 
respective identification data. The goal on the remaining row 
describes the confidentiality of the information. 

D. Application of the Logical Postulates (from Appendix A) 



Ml. R< *metalD~>R 



— H(RKev) 

l~ > 



T,T\=R \~H(RKey) 



. Applying Tl to M 1 yields R< metalD. R is told T's 
metalD without not-originated-here asterisk. 

. Applying PI yields R 3 metalD. The reader possesses the 
metalD value of the tag. 

. Since R recognizes RKey, by Rl R \ = o(H(RKeyf). R 

recognizes the H(RKey). 
. However, R cannot believe that metalD is the valid current 
value of the tag. The preconditions of J2 are not achieved 
and the freshness of H(RKey) is not satisfied. An intruder 
could use an old compromised hash value belonging to the 
tag in order to masquerade as the reader. 

M2.DB< *metaID 

. Applying Tl to M 2 yields DB< metalD. DB is told T's 
metalD without not-originated-here asterisk. 

. Applying PI yields DB 3 metalD. The database possesses 
the metalD value of the tag. 

. However, R still cannot believe that metalD is the valid 
current value of the tag. The preconditions of J2 are not 
achieved as in M 1. An intruder still could use an old 
compromised hash value belonging to the tag in order to 
masquerade as the reader. 



M3. R< RKey, *ID ~> R 



RKey 



DB.R 



.DB 



. Applying Tl and PI yields R 3 (RKey ID). The reader 
possesses the (RKey, ID). By T2, R 3 RKey, R 3 ID. 

. However, R cannot believe that RKey is the valid current 
value from the tag's metalD. Since the freshness of RKey 
is not satisfied, the reader cannot transmit RKey to the tag. 

M4. T< RKey 
M5. R< ID 

. Applying Tl and PI to M4 and M5 yields T 3 RKey, 

R3ID. 
. However, by 14, J2, the tag cannot believe that the reader 

transmits RKey to the tag. The reader cannot believe that 

the tag transmits the ID to the reader. 

E. Weakness in the Hash Unlocking Protocol 

The above verification of the hash unlocking protocol 
identifies the following failed goals: 

1 . R cannot derive that the H(RKey) is fresh; 

2. T cannot derive that the H(RKey) is fresh; 

3 . T cannot derive that R conveyed RKey; 

4. R cannot derive that T conveyed ID; 

5. R cannot derive that ID is valid; 
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V.THE PROPOSED STRONG AUTHENTICATION PROTOCOL FOR 
RFID SYSTEMS 

A. Analysis of the Strong Authentication Protocol Using 
GNY Logic 

In the previous schemes [7-11], it is assumed that database 
is a TTP (Trusted Third Party) and the communication 
channel between reader and database is secure. However, this 
paper assumes that database is not a TTP and the 
communication channel is as insecure as current wireless 
networks. It is also assumed that k is the secret session key 
shared between reader and database, and reader and database 
have enough capability to manage the symmetric-key crypto- 
system and sufficient computational power for encryption and 
decryption. 

To satisfy security requirements, the most effective 
protective measure against an attack involving eavesdropping 
at the air interface is not to store any contents on the tag itself 
and instead to read only the ID of the tag that database has 
transmitted to be scanned from reader. This measure, which is 
most often recommended in the technical literature and which 
is assumed by EPC global [2], offers the additional advantages 
that less expensive tags can be used; the memory for the 
associated data in the database is practically unlimited. The 
main idea of this framework is based on the security algorithm 
employed in the Yahalom protocol [14, 15]. 

The proposed protocol must guarantee the secrecy of the 
session key: in Messages 4, 5, the value of the session key 
must be known only by participants playing the roles of T and 
R. R and T also must be properly authenticated to the DB. 

Message 1 . R -> T : Query 

Message 2. T -> R : Tn 

Message 3. R -> DB: E Se rverKey(R) ( T, Tn, Rn ) 

Message 4. DB -> T : E ServerKey (T) ( R, DBkey, Tn, Rn, ID) 

Message 5. DB -> R : E serverKey(R) ( T, DBkey ) 



Message 6. T -> R : E 



DBkey 



(ID) 



Fig. 4 Overview of the proposed strong authentication protocol 

The main idea of the proposed protocol is that the 
ServerKey and Tag's Nonce(Tn) is used to minimize the 
burden of the Tag and to ensure authentication between Tag 
and Reader. The definition of a function called ServerKey that 
takes in the name of a Server and returns a ServerKey could 
be regarded as shared: Agent -> ServerKey. If reader would 
like to transmit any messages to database, then he would use 
the ServerKey with his identity as parameter. This description 
resembles a functional programming language. 

The general description of the proposed protocol is 
described as follows; 

- Message 1 : Query request by the reader. 

- Message 2: T is defined to take a random nonce Tn and 
transmit R. This makes simple challenge-response easy. 

- Message 3: Through T, Tn, and Reader's Nonce (Rn) with 
Server Key, R can ensure database authentication. 

- Message 4: DB encrypts all of the R, DBkey, Tn, Rn, and 
ID received from R and transmits these to T to allow R to 
authenticate securely using the server key. 

- Message 5: DB also transmits T, DBkey to R to decrypt 
Tag's ID. 



- Message 6: T can transmit ID securely using the DBkey 
received in Message 4. 

In addition, Messages 4, 5 mean the protocol step that can 
be transmitted from database to other participants 
simultaneously to decrypt the tag's ID in Message 6. 



1) 


Formalization of the Protocol 


Steps: 
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Mi. 
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R < 


{HdjDBKey 







Fig. 5 The formalization of the protocol step 

A formalized version of the protocol is shown in Fig. 5. 
The asterisks denote the ability of each principal to recognize 
that it did not transmit the received message at an earlier stage 
in the protocol. The protocol step in message 1 (Fig. 4.) was 
omitted in Fig. 5. 

2) Specification of the Initial Assumption: 

The initial assumptions for the proposed protocol are as 
follows; 

T 3 Tn; T 3K(T); R iRn; R iK(R); 
DB 9 Id; DB 9 DBKey; DB iK(T); DB iK(R); 
T = <=(Id); T = o(T, DBKey); 

R = cfld); R = cfDBKey); 

T = #Tn; R = #Rn; DB = WBKey; 

T = DBK ;ypR ; T =I^DB; T =(DB\=> DBK ?R); 

R =^$ y DB;R ^^DB;R =(DB\^^> ey T); 

The first two rows mean that each principal possesses its 
random nonce, symmetric key and information data. The next 
two rows state that the tag and reader recognize the other's 
symmetric key and information data. The next row means that 
each principal believes its nonce or key freshness. The final 
two rows concern beliefs regarding the database server that 
DB has jurisdiction over its own key and the other principal's 
symmetric key. 

3) Specification of the Protocol Goal: 

The goals of the proposed protocol are as follows; 

DB |= #{T, Tn,Rn}K(R); 

T\= #{R, DBKey, Tn, Rn, Id}K(T); 

R |= DB j~ (DBKey}K(R); R=T\~ (IDjDBKey; 



T\=T f KEr y R:R=T < 
Rs>Id 



DBKEY 



R; 



The first three rows concern authentication: each principal 
should believe that its counterpart is conveyed in the 
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respective identification data. The goals in the fourth row 
describe key agreement: both principals should possess the 
shared key through a challenge-response process. The goal on 
the remaining row describes the confidentiality of the 
information. 



were primarily designed to provide link security to protect 
against passive and active attacks over the air interface. Due to 
the limitation of the space, all result that been analyzed the 
vulnerabilities about other protocols, randomized protocol and 
chained hash protocol were described in brief in Table III. 



4) Application of the Logical Postulates (from Appendix 



A): 



Ml. R< *Tn 

. Applying Tl and PI yields R 3 Tn. The reader possesses 
the T's random nonce. 

M2.DB< *{T, Tn, Rn}K(R) 

. Applying Tl and T3 yields DB< T, Tn, and Rn, by T2 and 

PI DB 3 T, DB 3 Tn, DB s>Rn. 

. Applying Fl yields DB |= #{T, Tn, Rn}K(R) and satisfies 
the goal at the first row in V.A.3. 

M3. T< {*R, *DBKey, Tn, *Rn, *ID}K(T) 

. Applying T3 yields T< (*R, *DBKey, Tn, *Rn, *ID). 

. Applying T2 and Tl, PI yields T 3 DBKey, T 3Tn, T sRn, 
and T 3 ID. 

. Applying Fl yields T = #{R, DBKey, Tn, Rn, ID}K(T) and 
satisfies the goal at the second row. 

M4. R< {T *DBKey}K(R) 

. Applying T3 yields 7? < {T, *DBKey}. 

. Applying T2, Tl and PI yields R 3 DBKey. 

. Applying 14 yields R |= DB |~ {DBKey}K(R) and satisfies 
the first goal at the third row. 

. Applying R 3 DBKey and 14, yields R |= T |~ {IDjDBKey 
and satisfies the second goal at the third row. 

M5. R< {*ID}DBKey 

. Applying T3 and PI yields R 3 ID and satisfies the goal at 
the last row. 



Through T 3 DBKey in M3. and R 3 DBKey in M4., the 

DBKEY D D — r DBKEY 
< > K > K ~ 1 < > ' 



goals(r = r ° BKE >R;R 



T < BKE j R;) at the fourth row. 



TABLE III COMPARISON AMONG PROTOCOLS (O: SECURE, -: INSECURE) 





H.L. 


R.H. 


C.H. 




Lists 


(Hash 


(Randomi- 


(Chained 


Proposed 




Lock) 


zed Hash) 


Hash) 




Data 
Confidentiality 


- 


- 


- 





Tag Anonymity 


- 


- 


- 


O 


Data Integrity 


- 


O 


O 


o 


Reader 
Authentication 


- 


O 





o 


DB 

Authentication 


O 


o 


- 


o 


Mitm Attack 


- 


- 


- 





Replay Attack 


- 


o 


- 


o 



From Table III, it can be seen that the proposed protocol 
meets all security requirements listed above. These protocols 



B. The Result of Verification 

After verifying the protocols using GNY logic, it is 
confirmed that the proposed protocol solves the security 
weakness in previous hash-based protocols. 

Secrecy: Spoofing, Replay Attack, Tracking, 
Eavesdropping on communication between tag and reader 
are attacks that threaten all participants. To protect from 
these attacks, the countermeasures are therefore essentially 
identical in this protocol as follows. Firstly, all data are 
shifted except ID to the backend. This is also to be 
recommended for reasons of data management (i.e. the ID 
for the tag existing at the backend database will be shifted 
to protect spoofing and eavesdropping attacks to the tag 
through the database when the reader sends a request). 

Secondly, data transmission is encoded. Encryption of the 
data transmission is supported to ensure authorized access 
to the data of concern and to protect replay attacks and 
tracking. 

. Authentication: When a tag receives a "get challenge 
(query)" command from a reader, it generates a random 
number Tn and sends this number to the reader. The reader 
in turn generates a random number Rn with it and the 
random number Tn generates an encrypted data block 
(token T) on the basis of an encryption algorithm and 
server key (R). The data block is then returned to the 
database to authenticate the reader. The reader and tag 
both use the same encryption algorithm and since the 
server key is stored on the tag, the tag is capable of 
decrypting the server key (T). If the original random 
number Tn and the random number Tn, which has now 
been decrypted, are identical, then the authenticity of the 
tag vis-a-vis the reader is demonstrated. 

C. Availability Problem of Proposed Protocol 

In this paper, we propose the strong symmetric key 
algorithm based RFID authentication protocol. Regarding 
performance of the protocol at an application level, our 
assumption is that CPUs are now faster and memory and 
network speeds have also increased, but not nearly as much as 
CPU speeds. Pure computation, such as is used in a block 
cipher, is cheaper in both absolute terms and relative to other 
tasks, such as writing the data to disc. Unlike DES, nearly all 
AES candidates are designed for high performance in software. 

It could be argued that for most applications, nearly all 
AES algorithms are fast enough. Some literature [16, 17] 
reached the point where cryptography is not a significant 
portion of the total CPU burden, and the relative speed of the 
algorithms no longer matters very much. Therefore, our 
proposed protocol can be available for light-weight tags in the 
RFID system. 

VI. DISCUSSION AND CONCLUSIONS 

Smart work is defined as environments where users can 
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receive smart work system services for anytime and anywhere 
access through any device, connected with a wired and 
wireless network to home information appliances including 
the PC. In this environment, there are many security threats 
that violate user privacy and interfere with smart work 
services. Especially, the smart work consists of several 
networks with RFID system therefore authentication between 
the reader and the appliance devices affixed tag is required. 

In this paper, the RFID security requirements in smart 
work environments are defined, and authentication mechanism 
among reader, tag and database is proposed. The focus is to 
analyze the vulnerabilities of the protocol using formal 
methods and to design and verify the secure authentication 
protocols, which is widely researched in RFID systems. In 
verifying these protocols using GNY logic, it is possible to 
confirm some of the known security vulnerabilities likely to 
occur in RFID systems. 

Finally, a strong authentication protocol based encryption 
algorithm, is proposed for guarding against man-in-the-middle, 
and replay attacks, and also for verifying safety using GNY 
logic. 
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APPENDIX A. GNY LOGICAL POSTULATES 

In this appendix we list the logical postulates of GNY 
logic used throughout this paper. 

Tl : P< *X 
P< X 

If a principal is told a formula is marked with a not- 
originated-here asterisk, then the principal is told that formula. 

T2 : P < (X, Y) 
P< X 

Being told a formula implies being told each of its 
concatenated components. 

T3 : P< {X}K, PaK 
P< X 

If a principal is told that he possesses a formula encrypted 
with a key, then he is considered to have been told the 
decrypted contents of that formula. 

PI: P< X 
PaX 

A principal is capable of possessing anything he is told. 



Fl 



#QQ 



P |= #(X, Y), P |= #(F(X)). 

If a principal believes that a formula X is fresh, then it is 
believed that any formula of which X is a component is fresh 
and that a computationally feasible one-to-one function, F, of 
X is fresh. 

Rl : P | = o (X) 

P|=o(x,Y),P|=o( F( x)). 

If a principal believes that a formula X is recognizable, 
then it is believed that any formula of which X is a component 
is recognizable and that a computationally feasible one-to-one 
function, F, of X is recognizable. 



I4: P< {X}K-, PaK+, P| 



Q, P N Q(X), P N #(X, K+) 
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P |= Q |~ X, P |= Q |~ {X}K-. J2 • P |= q [=> q |= * P |= |~(-x~>Q. P 1= #(X) 

P\=Q \=C 
If, for principal P, the following conditions hold: P 

receives a formula X encrypted under private key (K-), P T „ , , , _ , ,. , ~ . , 

possesses the corresponding public key (K+), believes the If P rmci P al P beheves that Q 1S honest and com P etent and p 

public key belongs to Q, and P believes that the formula X is recelves a fresh messa S e X wlth the extension C, which he 

recognizable that either X or K+ is fresh. Then, P believes that beheves Q conveyed, then P believes that Q believes C. 

Q once conveyed the message X, and that Q once conveyed 

the message X encrypted under Q's private key (K-). 
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